Support » Requests and Feedback » Request regarding cookies and embedded content

  • I’m not sure what would be the most appropriate forum for this post, since it ultimately pertains to WordPress.org policies rather than to any specific technical issue or feature request.

    It would be great if WordPress.org could start moving toward requiring plugin and theme developers in the repository to disclose onthe applicable plugin or theme page what cookies they set, if any (including what those cookies do and their normal duration), and what embedded content they use, if any (including stuff like Google Fonts or embedded video players, even if just on the dashboard).

    In a growing number of jurisdictions, website owners are legally responsible for knowing and disclosing that information to end users. For those of us who are not developers, this is a major pain, requiring constant detective work to identify different cookies and figure out what’s setting them and why. (There are some automatic cookie detection tools, but they are not 100 percent reliable, especially if certain cookies are only set in certain circumstances.) That means adding a new plugin or switching themes might also leave a website owner technically in violation of cookie disclosure or other privacy laws while trying to figure it out.

    Even in areas with less stringent online privacy rules, embedded content is not necessarily desirable. The widespread use of Google Fonts and Google Hosted Libraries, for instance, may provide certain performance advantages, but it also comes at a cost to user privacy and can create technical issues in regions where those services are blocked.

    For these reasons, it would be enormously helpful if when I was browsing plugins or browsing themes on WordPress.org, I could easily check the appropriate tab to see what cookies it uses and whether it uses Google Fonts or other embedded resources (in the same way other add-on repositories typically require developers to disclose what permissions their add-ons require and why). The developers presumably know better than most users what’s in their themes and plugins, and if there’s a standardized form to fill out for it, disclosing that information doesn’t have to be an insuperable hassle.

    I realize this isn’t something that could happen overnight, but it’s something I’d love the WordPress.org team to seriously consider phasing in. There’s a real risk that draconian, hard-to-comply-with privacy laws may end up making website ownership a corporate-only proposition. Given the popularity of WordPress, clear disclosure of these points would help to forestall that by giving less technically adept users the information they need to at least try to comply.

    (If there is a more appropriate forum for this suggestion, I would appreciate it if someone could help me move it there. Thanks!)

Viewing 10 replies - 1 through 10 (of 10 total)
  • WordPress already has the functions that can be used to fill in parts of the Privacy page. Whether those functions are used is another story.
    There is ongoing work to improve this for plugins and themes.
    See #48486: feature request: Add compliance tab to plugin repository pages on WordPress.org

    But the plugin and theme guidelines already contain restrictions on using external resources, so there isn’t much to do.

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    It would be great if WordPress.org could start moving toward requiring plugin and theme developers in the repository to disclose onthe applicable plugin or theme page what cookies they set, if any (including what those cookies do and their normal duration), and what embedded content they use, if any (including stuff like Google Fonts or embedded video players, even if just on the dashboard).

    Just that alone would be burdensome and kill the desire for many people to contribute code here.

    *Drinks coffee*

    As Joy pointed out, there’s already a guideline for plugins and themes and that has to be adhered to in order to host a plugin or theme here. Some plugins are small and do one thing well and adding that would pretty much discourage the submitter for sharing that here.

    I do get the issue for web site owners but the responsibility for that disclosure is on them. If someone can’t see from the source code (many plugins are hundreds of lines and many files) then the best solution is to ask the developer in their support forum for their plugin or theme.

    If the information is not forthcoming then the site owner can simply choose to use a different plugin or theme.

    The thing is, the lack of disclosure by developers makes it very difficult for website owners to make those choices. If I want to find a theme that doesn’t use Google Fonts, for instance, I have to download it and dig through the source code — the repository lets me search certain design types, but not that crucial privacy question.

    Again, many of us are not developers and not coders. The “eh, well, it’s your problem, learn to code” attitude makes compliance challenging, and the penalties for noncompliance can be extraordinarily steep.

    Also, I’m not suggesting that developers be barred from using cookies or external resources (which would be silly as well as impractical), just that they put that information into some consistent place on the theme or plugin page so that users can make an informed choice.

    I don’t really see how doing that is more burdensome and onerous for developers than ending up fielding the same question multiple times in the support forums or other feedback messages. And, some plugins use neither cookies nor external resources, so there’s no documentation involved in that other than maybe clicking “no” on an upload form.

    • This reply was modified 4 months, 3 weeks ago by Ate Up With Motor. Reason: formatting error
    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    The thing is, the lack of disclosure by developers makes it very difficult for website owners to make those choices

    They do disclose it. It’s in the source code. 😉 Or you can ask for that in the plugin/theme support forum.

    Again, many of us are not developers and not coders.

    I don’t really see how doing that is more burdensome and onerous for developers than ending up fielding the same question multiple times in the support forums or other feedback messages.

    I know that you don’t see that or you’d not have posted this. You’re asking for placing another unnecessary barrier for people to contribute code. Documenting code is tedious enough, you are asking a contributor to increase their burden when all they want to do is share code.

    Let’s not do that. Let people contribute and not make that any more difficult.

    It would help if there were a standardized tab for it in the plugin/theme pages, even if filling it out were not mandatory.

    Again, I am not a developer. Neither are a lot of WordPress users. I am facing a legal climate that is increasingly calling for fines of thousands of dollars for noncompliance over things like cookie disclosures that are challenging to figure out for people who are not developers (or even people who are developers dealing with someone else’s code).

    Why is it not onerous to have keywords to let me search themes by how many columns they are, but onerous to provide some indication of whether they use Google Fonts?

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    Why is it not onerous to have keywords to let me search themes by how many columns they are, but onerous to provide some indication of whether they use Google Fonts?

    Because it is?

    *Drinks coffee*

    Let’s say I wrote the Hello Dolly plugin (I didn’t, it’s just an example). Here’s the keywords I would choose.

    Louis Armstrong, Jazz, example plugin, admin notice

    And that takes no time at all. Why would it?

    Now imagine it’s 5,000 lines of code. I wrote it, I want to share it, it solved a Wonderful and Unique Problem™ that has plagued people for years.

    You want me to go back and document any cookies it may use to satisfy your problem?

    That’s an additional level of work that is not needed for any opensource community project. This is not a market place, there is nothing to sell here. This isn’t the Apple Store, it’s not Google Play store .

    If you need to know that cookie information you can ask, you can look at the source. If that doesn’t work then don’t use that plugin.

    *More coffee, so good*

    That does not mean people who publish code here get to do bad things. That’s what the plugin/theme guidelines are for. But what your asking is an additional and unnecessary barrier for code contributors.

    • This reply was modified 4 months, 3 weeks ago by Jan Dembowski. Reason: Rotten grammar mistakes

    I’m surprised by the implication that the substantial challenges and compliance with expansive privacy laws like the GDPR and CCPA is some kind of eccentric personal problem of mine, but if that’s the official position of the WordPress.org community, so be it, I guess.

    > You’re asking for placing another unnecessary barrier for people to contribute code. Documenting code is tedious enough, you are asking a contributor to increase their burden when all they want to do is share code.

    Mozilla requires it to some extent
    so does Chrome
    but for WordPress it’s too burdensome?

    i agree with the OP in that plugin devs should be required to list, at the very least, what 3rd party resources a plugin uses and what, if any, data is collected that is not required to perform its stated purpose and what that data is used for

    i think the goal should be transparency and protecting user privacy over not wanting to place a small burden on plugin developers – i don’t see Firefox add-on devs jumping ship because of their add-on developer policies, and as for those that go elsewhere because they don’t respect user privacy, good riddins

    Moderator Steve Stern

    (@sterndata)

    Support Team Volunteer

    This would be an excellent blog post and something worth discussing on your own site or in social media. These forums are for technical support matters and this is not a support topic. Therefore, I’ve closed the topic. Definitely post this, but elsewhere!

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘Request regarding cookies and embedded content’ is closed to new replies.